The creation of proprietary digital information is arguably the most valuable intellectual asset developed, shared, and traded among individuals, businesses, institutions, and countries today. This information is mostly defined in electronic digital formats, e.g., alphanumeric, audio, video, photographic, scanned image, etc. The exposed storage and transport of this proprietary information, particularly for the purposes of sharing among separate collaboration groups, has significantly increased the risk of interception and theft by criminal elements, competitors, amateur thieves, computer hackers, terrorists, or political or industrial spies.
Simultaneously, there is an increased need for mobility of such data by physical or logical transport between home and office, or from office to office(s) among designated recipients. The dramatic increase in the velocity of business transactions and the fusion of business, home, and travel environments has accelerated sharing of this proprietary commercial, government, and military digital information. To facilitate sharing and mobility, large amounts of valuable information may be stored on a variety of portable storage devices (e.g., memory cards, memory sticks, flash drives, optical and hard disc magnetic media) and moved among home and office PCs, portable laptops, PDAs and cell phones, and data and video players and recorders. The physical mobility of these storage devices makes them vulnerable to theft, capture, loss, and possible misuse. Indeed, the storage capacity of such portable storage devices is now approaching a terabyte, sufficient to capture an entire computer operating environment and associated data. This would permit copying a targeted computer on the storage media and replicating the entire data environment on an unauthorized “virgin” computer or host device.
Another trend in data mobility is to upload and download data on demand over a network, so that the most recent version of the data is always accessible and can be shared only with authorized users. This facilitates the use of “thin client” software and minimizes the cost of storing replicated versions of the data, facilitates the implementation of a common backup and long-term storage retention and/or purging plan, and may provide enhanced visibility and auditing as to who accessed the data and the time of access, as may be required for regulatory compliance. However, thin client software greatly increases the vulnerability of such data to hackers who are able to penetrate the firewalls and other mechanisms, unless the data is encrypted on the storage medium in such a way that only authorized users could make sense of it, even if an unauthorized user were able to access the encrypted files.
There is a balance among legal, economic, national security, and pragmatic motivations to develop robust security implementations and policies to protect the storage of proprietary digital information, based on the value of the information, the consequences of its exposure or theft, and the identification and trust associated with each of the targeted recipients. In order to provide such varying degrees of protection for portable storage devices, system methods and application functionality must be developed and easily integrated into the operating procedures of the relevant institutions. Different policies defining degrees of protection are required to economically accommodate and adapt to a wide range of targeted recipient audiences for this data.
Currently and predominantly, for portable storage devices, passwords and software solutions are used for such purposes as encryption of information and to provide the authentication functions to access and manipulate private intellectual property. The sophistication of literally millions of mathematicians, computer engineers and scientists, many of whom can be hostile to the protection of digital intellectual property for economic, political, or frivolous purposes, represents a great threat to the efficacy of simple implementations of password security and software encryption systems currently implemented on such portable encryption devices. Furthermore, the difficulty and, in some cases, the inability to change security policies for access to such data forms yet another barrier to the commercial and institutional interests of the owners of the intellectual property in controlled and directed sharing of such information, and of the user's ability to retrieve, search, and store such data in their daily activities.
In contrast, some users have adopted the use of hardware-based encryption solutions in order to prevent these problems, only to discover a few years later that their data was irretrievable because their cryptographic token was lost, stolen, or malfunctioned and they had no backup or recovery agent capability, or that interesting or even vital historical records could not be read because no information exists as to what keys were used to encrypt the documents, or what tokens or PINs were used. It is easy to imagine that if these issues are a significant problem today, then the problem of encrypting data for personal privacy for 40 or 50 years, or even the life of the individual, will become overwhelming.
What is needed are highly robust and proven security techniques incorporated into new system methods and into new commercially available portable storage hardware apparatus to implement configurable security policies for accessing information through rigorous authentication means, to secure the information with certified levels of accepted cryptographic technology, and to rigorously control the environment within which the information is shared.
What is needed is a secure portable storage apparatus and method of encrypting and sealing (via a combination of secure hash and digital signature technologies) digital information files and storing them in the device's integral or removable memory, or alternatively on the host device's memory or other ancillary memory storage devices, while operating under cryptographically protected security policies for transport and authorized access to such digital information.
It is essential that the portable encryption device provide and make use of a highly secure logon mechanism, to ensure that a user is not allowed to or even be capable of operating the device in order to encrypt, decrypt, sign, or verify the data, or perform various other sensitive operations unless and until that user has been specifically authenticated and authorized in accordance with the organization's security policies and procedures. To this end, it would be very desirable for the device to support the use of a secure PIN entry mechanism, as well as supporting an optional biometric identification mechanism, and various other optional enhanced authentication devices, functions, and methods.
Because the secure portable encryption device may be used in a high threat and high-risk environment, there is the possibility that the device could be lost, stolen, or captured by competitive or criminal forces, and later disassembled and even reverse engineered by a sophisticated and capable adversary. For this reason, it is highly desirable that it be impossible for such an organization to extract the user's authorization PIN or password, biometric template, or other enhanced authentication/authorization parameters, or any of the private keys or critical cryptographic parameters, either from the data itself, the encryption device itself, or from the cryptographic processor, or from combination of the three.
There is a need for secure physical and logical transport of data for multiple recipients. To this end, it is desirable to provide a means of securely transporting data from one place to another, if the user has to carry the data with him or her, or physically transport the data and the secure encryption device, and somehow communicate the information necessary to log on and access the data by another authorized user. What is required are a multiplicity of methods to securely transport the encrypted data, either physically or logically, between an Originator user and one or more authorized Recipient users of devices and host computers that are operating within authorized enclaves or domains, or are members of certain authorized Communities of Interest.
An “enclave” is considered to consist of one or more host computers operating within a single organization or enterprise and under the control of a common security administration, typically subject to some level of physical security, and within which there is some reasonable expectation of interoperability with respect to the use of the subject invention. An example of an enclave would be the computers used within a single corporate campus, such that an employee could insert and use the secure portable secure encryption device. An enclave may be restricted in its scope to include only those host computers that are authorized to process information of a particular type, e.g. Engineering, Human Resources, or Finance. A given host computer may be authorized to be a member of multiple enclaves. A “domain” is considered to consist of one or more enclaves distributed across one or more enterprises or organizations, all operating within a common security framework and policy. An example would be a collection of computers operating at the SECRET level throughout a portion of the Department of Defense, including civilian contractors and other cleared users. A “Community of Interest” is typically a more loosely defined set of host processors and users who all share a common interest and “Need to Know,” even if (in some cases) that interest spans enclaves and domains and even governmental boundaries. An example would be communications between the U.S. military and our allied and coalition partners, and in some cases even indigenous tribal authorities and informal collaborators. In the civilian or social networking sphere, a community of interest might include “Friends and Family,” a chat room, membership on a professional or social e-mail or blog list, etc.
In many environments, it is not sufficient merely to restrict the physical access and ability to log on to the device to certain host computers within a given enclave. Instead, there is a need for restricted communication and data containment, and it is necessary to constrain encrypted communications to those members of a pre-defined Community of Interest, so that no one outside of that Community of Interest could possibly decrypt the message. Such a mechanism could be used to enforce Mandatory Access Controls (e.g., clearance levels, compartments, and/or caveats in the military), or a defined Need-To-Know for various proprietary or sensitive types of information in commercial enterprises.
It is very important to provide a mechanism for data confinement, such that the secure portable encryption device can only be used in combination with an authorized host computing device. In a military environment, such a mechanism would prevent the encrypted data from being compromised even if the user were coerced into divulging or entering the PIN or password and activating any biometric sensors. In a commercial enterprise environment, such a mechanism could be used to prevent an authorized user from accessing and storing proprietary or personal of data and later decrypting them on his home computer without proper authorization, for personal gain, vicarious pleasure, or purposes that are more nefarious.
Similarly, in multiple-recipient data sharing modes of operation, it would be highly desirable to provide one or more system methods or means to control access and cryptographic operations, so that the data contained in or secured by such a secure portable encryption device can only be encrypted on behalf of, and decrypted by, an authorized user, and only on an authorized host computing device as dictated by the security policies of the enclave, domain, or Community of Interest; and not by just anyone who may possess an encryption key pair that could be used in the encryption/decryption process. It would also be highly desirable to ensure that the data is authenticated as having originated by a given user, and to provide nonrepudiation-level protection against manipulation or substitution of the data by an attacker.
It would also be highly desirable if a “blocking” or “guard processor” can be provided to ensure that only encrypted and sealed information can be written to or read from designated input/output ports or devices, including removable media. Similarly, it would be highly desirable to support the use of a “black” guard processor that could examine any incoming or outgoing traffic on a communications link to ensure that it was properly encrypted and had not been modified prior to allowing it to be transmitted or received, without the necessity of providing the guard processor the ability to decrypt the data. A “red” guard processor could also be used to decrypt and examine the data for specified sensitive context prior to either releasing it for transmission or, if sensitive data is identified, returning it to the originator with instructions to delete the sensitive data, and perhaps raising an alarm or log event that proper policies have not been followed.
There is a need for very long term data recovery mechanisms, and in order to conform to various regulatory and organizational governance requirements, it is desirable that one or more recovery agents be supported, possibly of different types, so that the encrypted data can be decrypted if necessary, even if the original cryptographic keys have been lost and the original user's PIN forgotten. Preferably, the necessary information to support this recovery must be embedded in the encrypted data itself.
In the case of small businesses or home users, it may be important to provide some form of an inexpensive Recovery Agent capability that can be used in conjunction with a primary encryption device to decrypt and recover data on a one-time-only basis. Because such a device or means will only be used in the event of the loss or malfunction of the primary device, it may be sufficient (and desirable from a marketing perspective) if the functionality can be limited to a decrypt-only mode of operation. For this reason, it is desirable to support a hybrid mode of operation, providing a static private Elliptic Curve Cryptography (“ECC”) key within a security processor or token, to be used for decryption only; with the symmetric key encryption being performed in software, or at a very bandwidth-limited rate in hardware.
Because it is difficult to predict the course of history, the possibility of natural disasters, the failure or obsolescence of the hardware device, and even the dissolution of the original equipment vendor or the user's organization, it is desirable that a highly robust solution be devised to enable distant generations to read the data easily, while at the same time protecting the data as securely as possible for the current generation. This requires what we define as “strong but brittle cryptography”—a cryptographic system that will resist all known attacks for a well-defined period of years or decades, and then will suddenly “snap” and provide relatively simple access to the data by future historians. Because it is difficult to ensure that any hardware mechanism will survive for many decades without failure, in addition to the hybrid decryption function described previously, it is desirable to support a decrypt-only function in a purely software means or mechanism, so that the inevitable changes in computers, operating systems, applications, and even programming languages can be accommodated by updating or porting the software functionality to the future environment.
Finally, it must be recognized that the long-term storage of encrypted data presents some very difficult problems in sorting, searching, or even finding any data that is relevant to a particular subject, without being forced to decrypt the entire archive in order to find something. This process is difficult enough if the document is a text document that can be searched relatively easily, but if the information that is sought is a photograph, drawing, sound recording, musical score, computer program, or other more abstract data type, then the search process can be very difficult indeed. In addition to the search difficulty, there is a cost associated with the long-term storage of any kind of data, encrypted or not, and it is often necessary to make an intelligent decision as to what to save and what to discard. But if the information is encrypted, making that decision effectively requires that the information be decrypted in order to examine it, and that may not be practical if terabytes, exabytes, or even petabytes of data are involved. For this reason, it would be desirable if metadata—data about the data—could be saved along with the encrypted data itself. This metadata might or might not be as sensitive as the data itself, just as the subject of an e-mail might or might not be particularly revealing. In some cases, it may not be necessary to encrypt the metadata at all, and in other cases, it may be sufficient to encrypt the metadata using a key that is common across many such files or messages, and is shared with a central archive, catalog, or directory facility. It is therefore desirable to provide a mechanism for attaching metadata to the encrypted file in such a manner as to facilitate the cataloging and subsequent discovery of the contents of the files involved, and allowing the metadata to be sent in the clear, or encrypted in a common key or keys of the archive facility or catalog.
In modem communications systems, data, typically in the form of a file, may be communicated, relayed, and stored over a large number of communications and storage media, each of which has some small but finite probability of introducing an error into the transmission or storage of that information. Even if the error is later detected, it may not be possible to correct it if the original source is no longer available. In particular, depending on the Mode of Operation of the cryptographic system, an uncorrected error may cause error propagation throughout the remainder of the decrypted file or message after the point of the error, rendering the data completely unintelligible. This is a particular problem in the case of one-way transmissions, e.g., when the recipient is operating under “EMCON” (emissions control) or radio silence conditions, as well as for one-way storage or archive operations. Although it may not possible to prevent such errors completely, it is desirable to have robust error detection and correction, and to make use of Forward Error Correction techniques that are embedded in the file or message itself, and therefore can be used to recover errors on an end-to-end basis, rather than having to rely on the proper operation of every intermediate link and storage mechanism.
In implementing all of the above functionality, it is highly desirable that the methods and apparatus use encryption/decryption and digital signing techniques and related private key and public key algorithms and key sizes that are preferred by the communities of users or have been adopted by international or national standards, or are proprietary to unique institutions. One preferred cryptographic embodiment and implementation is currently (year 2008) represented by the “Suite B” algorithms for both unclassified and classified use by the U.S. Government. Suite B consists of Elliptic Curve Cryptography (ECC) in the prime field GF(P) using key sizes P-256 and P-384 for key establishment between two parties as well as for digital signature creation and verification; the Advanced Encryption Standard (AES) with keys sizes of 128 or 256 bits for symmetric key encryption; and the updated Secure Hash Algorithms (SHA-256 and SHA-384). Reference is also made to U.S. Pat. No. 6,088,802, “Peripheral Device With Integrated Security Functionality,” and U.S. Pat. No. 6,003,135, “Modular Security Device,” both of which are incorporated by reference in their entirety.
At the present time, extrapolating the increase in performance and scale of existing technology indicates that the ECC P-384 keys should resist attacks by even nation-states for well over 100 years. However, the looming threat on the horizon is the possibility of highly parallel computations made possible by a form of computation called “quantum computing.” At present, many of the cryptographic protocols, including RSA and ECC are believed to be secure, in that the effort which would be required to break them is considered computationally infeasible. The possibility that quantum computing might become feasible would change this picture dramatically. If realized, the difficulty of most of these problems would drop from exponential complexity to merely polynomial complexity, rendering currently deployed cryptographic systems and key lengths useless. Current expectations by knowledgeable people in the field are that quantum-computing attacks against ECC might become feasible within 30 to 50 years, and that we may have a better understanding of the threat within 10 years. At least at present, there does not seem to be a comparable threat against AES, particular AES-256. The possible threat against “SHA-2” is not known, but NIST has initiated a call for a next generation of hashing functions, “SHA-3.” It is therefore desirable to resist quantum-computing attacks against ECC and against SHA-2 wherever possible.
Most prior art solutions to secure information on portable storage devices for transport to different host computing devices or for use by authorized users have certain vulnerabilities as a result of their reliance on software and unprotected hardware implementations, or on the long term, static, non-volatile, and accessible storage of important codes and cryptographic parameters. These vulnerabilities have become much more widely exploitable due to the readily available technological and intellectual resources possessed by well-funded criminal elements, rogue nations, terrorists, and political and military enemies. As of December 2006, as quoted in the New York Times, “Despite an almost four-and-half-year campaign on the part of the company (Microsoft), and the best interests of the computer industry, the threat from harmful computer software continues to grow. Criminal attacks now range from programs that steal information from home and corporate PCs to growing armies of slave computers that are wreaking havoc on the commercial Internet.” Many computer security companies say that there is a lively underground market for information that permits attackers to break into systems via the Internet through Trojan horses among other hardware and software means of invasion of processors and software.
Attacks on personal computers and commercial, government and military data are now commonplace; indeed, identity theft of passwords is the largest white-collar crime in the United States. Yet passwords and PINs (Personal Identification Numbers), in most cases generated by human beings who are tempted to use native-language words, Social Security Numbers, telephone numbers, etc., are still the most used access security methods for protecting portable encryption devices, and among the most vulnerable to both brute force dictionary attacks as well as sophisticated logic tracing. Professional criminal attackers and even amateur hackers now have access to sophisticated software and supercomputing networks that can unknowingly invade processing devices and storage devices, trace software instruction sequences and memory locations, and by knowing or discovering the algorithms being used, intercept and copy encryption keys, PINs, and other profile data used to protect the access to stored content. They can exploit vulnerabilities in the underlying commercial software, or in the construction of the integrated circuit chips housing and executing the cryptographic processes, or in the specialized cryptographic software, which enables exposing keys and access parameters at some deterministic point in the processing sequence. Industrial laboratory facilities are also available to read the data content stored in memory cells by measuring the electronic charge through the use of electronic beam microscopes, and thus steal stored PINs, keys, and therefore access the previously protected data.
One of the key deficiencies of prior art, therefore, is the widespread reliance on a stored PIN or password that is used for comparison purpose, for access control, or used for password-based encryption to protect other cryptographic variables. Typically, the value that is stored is not the PIN itself, but a hashed or otherwise obfuscated version of the PIN, e.g., in the form produced by a PKCS#5 process. In the case of a password-based encryption process, the PIN itself may not be stored, but only the encrypted key, which may then be used to encrypt other information. In any case, however, some kind of a value is stored, and if it is possible to locate and extract that value, then in general it is then possible to mount an offline exhaustive search attack against the PIN itself, with no constraints as to the amount of time, number of unsuccessful attempts, or the number of networked distributed processors that may be applied to such an effort. Many of the more celebrated attacks against Digital Rights Management and copy protection systems for digital media, for example, have been successfully carried out by such means.
Prior art is also directed at methods of cataloging user access at different security sensitivity levels and in different communities of interest through implementation of access control tables generally located at centralized servers. These tables are controlled by an institution's centralized policies that specify predetermined access rights for each of a plurality of users relative to data resources which themselves are identified with predetermined levels of security. Access tables further include domain and rule information for each user to control the collection of domains and conditions of authorization of their security rights. Such systems are optimized for protecting access to centralized sensitive data but are not adaptable to secure the user authorization and access and decryption rights to data which is transportable via portable storage media. Since the table data is external to the secured media on which the data is stored, the processes to authenticate the user and authorize decryption of the data are generally not cryptographically secure nor are they adaptable to be implemented by the portable storage device itself, even with the presence of processing capability on the device.
Many prior art methods exist for the key management protection necessary for securing key encryption keys for large groups of users. Split-key secret sharing schemes have been proposed whereby the decryption key is split and shared among multiple parties or entities to be combined to reconstitute the decryption key. In these cases, however, the individual secret shares themselves are maintained statically in multiple storage devices, generally on-line, where they are susceptible to attackers, particularly from within the institution, who can target the secret shares and recombine then to form the decryption key. Such solutions are implemented for relatively static configurations of computing and storage devices and related communities of interest or tiers of users, and have not addressed the ability to so protect key encrypting keys when the data itself, and the means to encrypt and decrypt the data and to generate and recombine the shared secrets, are on a portable device.